But if your
device is made by another vendor, June’s Android
patches could turn up any time from next month to some point later this
year.

Given that June’s
two patch levels (2019-06-01 and 2019-06-05) comprise only 13 CVEs plus another
9 from Qualcomm, this might not sound like that big a loss.

But if the same
device is also missing previous updates, as many will be, the number of missing
patches rises to dozens.

Amplifying the
update confusion is Android’s version fragmentation, which gave Apple CEO Tim
Cook cause to gloat when he mentioned at this week’s WWDC 2019 conference that
the newest version of Android
is still only running on 10% of Google’s mobile devices compared to 85% of
iPhones running the latest iOS.

On Monday, at its
World Wide Developers Conference (WWDC), Apple had a big on-stage announcement
of its new Sign
In with Apple offering.

But it also made
a less ballyhooed tweak: the company swept kids up in its privacy
march.

On Monday, Apple
updated the Kids category in its App Store
developer guidelines to include a new ban on third-party advertising or
analytics (which are ostensibly used for tracking) in content aimed at younger
audiences.

Previously, the guidelines
only restricted behavioral advertising tracking – e.g., advertisers weren’t
allowed to serve ads based on kids’ activity, plus ads had to be appropriate
for young audiences.

The current
guidelines also (still) stipulate that apps can’t include links that take a
user outside of the app, or other things that would “distract” kids, unless
they’re behind a parental gate: a feature used in
apps targeted at kids that keeps them from buying stuff or following links out
of an app to websites, social networks, or other apps without the knowledge of
their parent or guardian.

Apple also
reminded developers to pay attention to privacy laws around the world when it
comes to the data they collect from kids.

A Boston federal
court on Monday sentenced a Romanian national to 65 months in federal prison
for a multi-state ATM card-skimming scheme through which he and his gang
drained $868,706 from 531 people’s bank accounts.

The Justice
Department said that Bogdan Viorel Rusu, 38, was also sentenced to five
years of supervised release and ordered to pay restitution and forfeiture of
$440,130.

Rusu pleaded
guilty in September 2018 to one count each of conspiracy to commit bank fraud,
bank fraud, and aggravated identity theft. He had been arrested November 2016
and has been in custody since then.

ID’ed through
his asylum application photos

According to
court documents, video surveillance cameras picked up a man installing a
pinhole camera and a skimmer device on a bank ATM machine located in Chicopee,
Massachusetts in August 2014.

Thomas Roldan – a
special agent with Homeland Security’s Immigration and Customs Enforcement
(ICE) within the US Department of Homeland Security (DHS) – said in an
affidavit that he identified Rusu based on photos that Rusu submitted in
support of an asylum application to US Citizenship and Immigration, as well as
Roldan’s own physical surveillance of the suspect.

The skimming
devices were plugged in at around 16:26, and then the video cameras picked up
footage of somebody else picking up the pinhole camera and skimmer a few hours
later, at 20:01. Bank records showed that 85 customers used the ATM during that
time, and 12 of them later reported losses totaling $8,399.43.

Next day, same
thing, but this time, Rusu plugged in the skimming devices and picked them back
up himself after a few hours. That time, customers lost $9,823.50.

Apple’s World
Wide Developers Conference (WWDC) on Monday was full of surprises. One of them
was a new feature designed to make signing in to apps and websites more
private: ‘Sign In
with Apple’.

You know how
you’ve signed up for dozens of accounts on websites over the years? You have to
enter your email address, choose a password that meets requirements,
store it (hopefully with a password manager)… and soon after comes the flood of
junk mail from the site’s needy marketing team.

Some folks use a
throwaway-email address service for each new account. But what if you want to
see some of that mail? And how sure are you that the dummy address won’t get
reused in the future by someone else? And how do you know if the website’s
going to store your password securely?

The other option
is to use a single sign-on service from one of the two big providers: Google or
Facebook. When you see a ‘Sign In With Google’ or ‘Sign In With Facebook’
button on a web site, it’s offering to let you use your Google or Facebook ID
for a quick, one-click sign up or sign on, no password required, as long as
you’re signed into Google or Facebook.

The problem with
services like these is that the companies running them (and their hidden
partners) end up knowing more about you than your grandmother.

Sign In with
Apple is Cupertino’s privacy-conscious version of those services. The idea is
to make signing in – and signing up – to websites as simple as possible,
without having to provide any personal information.

What’s more
embarrassing than a researcher revealing a security oversight in a company’s
software?

In the case of
Apple, it would be when that software, macOS 10.15 ‘Catalina’, hasn’t even
shipped to users yet.

The bearer of bad
news was noted researcher Patrick Wardle of Digita Security, who used last
weekend’s Objective by the Sea conference in advance of macOS 10.15’s launch
this week to reveal a weakness through which malicious apps could exploit
‘synthetic clicks’ – automated clicks or keystrokes made by an app in the
interests of accessibility.

Hijacking this,
malware could automatically generate synthetic clicks to bypass prompts that
ask the user to authorize actions such as installing software, hijacking
webcams and microphones, or accessing Apple’s Keychain password manager, none
of which would be a good thing.

Because macOS
security depends on the response to such alerts, malware that can simulate
these clicks on behalf of the user would have a dangerous amount of power.

In 2017 it was realized
that FruitFly malware had adopted the technique as far back as 2008, as did DevilRobber
in 2011 and Genieo in 2014, so the threat is more than theoretical.

The flaw

To counter this,
Apple introduced a whitelist that limited access to synthetic clicks to
applications approved by the user.

However, for
reasons of backwards compatibility it was discovered that Apple had built in
some exceptions to this rule through the Transparency Consent and Control
system (TCC), including for the open source VLC media layer, Adobe Dreamweaver,
and the Steam games platform.

ACS

Centrally located in Winter Haven, we serve residential and business clients in and around Polk County.

9 Camellia Drive
Winter Haven, FL 33880863-229-4244

Our Promise to You

Plain language, no tech-talk

We will never try to over-sell you a product you don't need.

Advanced Computer Services of Central Florida is your local, hometown computer service and repair company that can do more than just fix your PC. We offer highly skilled professionals who can be counted on to give you sound advice on upgrades, software and hardware, commercial & residential networks, hardwire or secure wireless.